[00:14.180 --> 00:19.700]  Hello, everyone. My name is Paramarket and I welcome you to O365 Squatting.
[00:19.700 --> 00:27.400]  If you are not already joined in the Discord chat, please go to the BlueTeamVillage.org website, click on the Discord link and join.
[00:27.400 --> 00:31.340]  Please give a warm welcome to Juan Francisco and Jose Miguel.
[00:36.230 --> 00:41.710]  Thank you. Thank you. Thank you very much. Thank you for coming to this virtual talk.
[00:41.710 --> 00:50.710]  We're going to talk about the tool that we have developed, O365 Squatting, but we are going to make a very brief introduction.
[00:50.790 --> 00:56.350]  I'm working, I'm Juan Francisco Bolivar, working as a manager on IT security in a pharma company.
[00:56.350 --> 01:07.110]  I have been working during the last years in security. I have published a book and I am also collaborating with 11Paths as chief security envoy.
[01:07.110 --> 01:16.630]  Hey, guys. This is Jose Miguel Gomez. I've been working in security from the very beginning in my working life.
[01:16.630 --> 01:21.070]  I've been, my main role has been IT security analyst.
[01:21.150 --> 01:28.070]  Nowadays, I'm working in a pharma sector company, but I am also a researcher and cybersecurity enthusiast.
[01:28.150 --> 01:37.090]  I've been working with several multinational enterprise companies, assisting and helping them to do a more secure company.
[01:37.810 --> 01:45.550]  And also, I've been studying for a more red team acknowledged as OSCP and OSCE.
[01:46.550 --> 01:51.870]  So, let's start with the real part. The challenge in Azure.
[01:51.870 --> 02:03.090]  Of course, all of us know that Azure and the cloud in general, it's helping all of us and also the IT people to create easy services and domains.
[02:03.090 --> 02:04.810]  So, there is a clear benefit.
[02:04.810 --> 02:08.610]  However, the attacker has also a really good benefit.
[02:08.610 --> 02:19.790]  When you create an account on Azure, you have associated a domain on Microsoft.com for your account.
[02:19.790 --> 02:23.450]  So, you are getting a Microsoft domain for you.
[02:23.450 --> 02:26.810]  And this is something that we are going to see during this speak.
[02:26.810 --> 02:29.910]  That is something that attackers are going to exploit.
[02:29.910 --> 02:39.550]  This research and this tool has been performing our experience and the cases that we are seeing every day coming from the attackers.
[02:39.550 --> 02:43.490]  So, what is going on with the Microsoft domain?
[02:43.490 --> 02:50.090]  When you create, let's say, an account called DEF CON with this three and an O in the middle on Azure,
[02:50.090 --> 02:57.950]  you are automatically granted on Microsoft domain dot your username.
[02:57.950 --> 03:04.270]  So, if you try to find what is on the DNS, how is it resolved?
[03:04.270 --> 03:07.390]  It is resolved directly to the Azure DNS.
[03:07.790 --> 03:12.490]  And, of course, the whois is talking about is part of the Microsoft.
[03:12.490 --> 03:19.290]  So, it's a good starting point that we are being able to have domain on Microsoft.
[03:19.670 --> 03:21.510]  So, what is the problem?
[03:21.510 --> 03:27.630]  The problem is that you can use this domain in order to create exchange servers.
[03:27.630 --> 03:32.750]  And, of course, the hackers and the attackers are going to be using this technique.
[03:32.750 --> 03:38.050]  This technique will allow you to see a kind of image like this.
[03:38.050 --> 03:43.870]  We have seen that it was requesting some payments and was coming from a Microsoft domain.
[03:43.870 --> 03:47.790]  Of course, the first idea of a blue teamer is, okay, let's block that domain.
[03:47.790 --> 03:51.810]  But it's not a really good idea to block a Microsoft domain.
[03:51.810 --> 03:56.430]  It will have a lot of impact into your infrastructure and to real emails.
[03:56.430 --> 04:01.890]  So, other of the problems is below, beyond this small black box,
[04:01.890 --> 04:09.350]  the attacker was trying also to create confusion, creating similar domains to the original one.
[04:09.350 --> 04:14.690]  So, it was increasing the problem for the users to identify these emails.
[04:14.690 --> 04:20.730]  So, we were finding, we encountered a problem and we tried to find a solution.
[04:21.030 --> 04:23.010]  We started to analyze the headers.
[04:23.010 --> 04:28.590]  Of course, all the headers are gaming from old look domains and protection old look domains.
[04:28.590 --> 04:33.390]  So, everything looks good, good that is coming from Microsoft.
[04:33.390 --> 04:38.490]  We analyzed one of the IP addresses and, of course, was belonging to Microsoft domain.
[04:38.490 --> 04:44.070]  So, we cannot block it neither because it was part of the old look infrastructure
[04:44.070 --> 04:48.110]  and it will, again, have a lot of impact on our users.
[04:49.170 --> 04:53.890]  Also, part of the header was the message ID.
[04:53.890 --> 04:59.610]  Again, pointing to old look domains and also we were considering the SPF part.
[04:59.610 --> 05:04.350]  The SPF part was not working mainly because Microsoft has configured to none
[05:04.350 --> 05:07.030]  and none is equal to neutral.
[05:07.030 --> 05:12.930]  What it will not block by using this protection, the receiving of emails.
[05:12.930 --> 05:20.210]  There is other headers like transport or anti-spam mailbox and anti-spam message.
[05:20.210 --> 05:22.430]  So, a lot of protections are there.
[05:23.710 --> 05:26.130]  So, we were finding a problem.
[05:26.130 --> 05:31.050]  We are creating, attackers are creating domains on Microsoft and using it to send it to spam
[05:31.050 --> 05:33.070]  but we are not able to detect it.
[05:33.070 --> 05:37.950]  So, something that we detect is as soon as you create an account,
[05:37.950 --> 05:42.050]  not only the Microsoft account or domain is created,
[05:42.050 --> 05:47.890]  it's also creating automatically a SharePoint site with your name following this pattern.
[05:47.890 --> 05:52.390]  So, if the original one is the first, the attackers will be going to start to create
[05:52.390 --> 05:57.130]  all these similar typosquatting attacks related with on Microsoft.
[05:57.130 --> 05:58.870]  So, what is the case?
[05:58.870 --> 06:05.210]  We need to be able to detect these domains and we need to be able to block it.
[06:05.250 --> 06:11.010]  We are not able to do it with on Microsoft because it's not creating a real website.
[06:11.010 --> 06:14.750]  It's only on the Azure DNS. It's not in the public DNSs.
[06:15.270 --> 06:17.830]  So, it's something that we need to work with.
[06:17.830 --> 06:25.370]  We detected the SharePoint.com and we applied this technique of detection of these websites to detect this.
[06:25.370 --> 06:27.010]  So, we are going to spam code.
[06:27.010 --> 06:33.290]  We are going to detect these domains on this new creation based on SharePoint.com.
[06:34.630 --> 06:38.810]  It's not possible neither to detect these SharePoint domains based on reputation.
[06:38.810 --> 06:46.390]  We have been using Malvertise that is a well-known reputation site for checking the reputation of the sites.
[06:46.390 --> 06:53.550]  And we detected that the ones that have been already sending spam or sending users as a phishing was detected,
[06:53.550 --> 06:56.110]  was already detected as a SharePoint.com.
[06:56.110 --> 07:01.230]  However, the ones that are created but still not used wasn't found.
[07:01.230 --> 07:07.130]  So, we as a blue team, we need to be able to protect before the attack happens.
[07:07.130 --> 07:12.150]  And we thought, okay, let's do something by ourselves to check how to block it.
[07:12.270 --> 07:19.470]  So, what we do is we created a list of possible domains of our company or the company that you want,
[07:19.470 --> 07:23.230]  using typo-squaring, omission, bit-squaring, homoglyph.
[07:23.230 --> 07:25.690]  And then we found a pattern.
[07:25.690 --> 07:30.890]  We found a pattern that all the domains related to SharePoint have two answers.
[07:30.890 --> 07:36.210]  If the domain exists, then it has a 302 server direction answer
[07:36.210 --> 07:39.090]  and it's going to the login page of Azure.
[07:39.110 --> 07:43.270]  If the domain does not exist or is still not created by the attacker,
[07:43.270 --> 07:47.930]  then it's a 503 service available and we can detect it.
[07:47.930 --> 07:49.370]  So, why to do it manually?
[07:49.370 --> 07:57.210]  Let's automate the attack and then let's export it to a JSON or a CIF file in order to import into our systems.
[07:57.210 --> 08:01.270]  So, this is the idea of our tool, how to demonstrate these steps.
[08:01.530 --> 08:05.790]  And my colleague, Jose, will show you a little bit more about how to work with it.
[08:05.950 --> 08:07.030]  Here, guys.
[08:07.190 --> 08:09.450]  So, we are just leaving the presentation part.
[08:09.450 --> 08:14.710]  Let's go with the well-known part of this.
[08:15.550 --> 08:18.370]  What we're going to show you is how this tool is working.
[08:18.370 --> 08:29.250]  Francisco told us that we are going to create a number of well-known domain squatting techniques
[08:29.250 --> 08:36.990]  to create this list of potential domains that could be impersonating a company in the Microsoft infrastructure.
[08:37.730 --> 08:41.590]  So, with all this, we are working with our tool.
[08:41.590 --> 08:47.010]  These are all algorithms you can use.
[08:47.010 --> 08:51.850]  You can check by one single domain in the Microsoft infrastructure.
[08:52.230 --> 08:59.310]  You can also check for one single domain and start generating all possible domains.
[08:59.650 --> 09:05.850]  And you can also use a file with a list of domains that you want to monitor.
[09:05.850 --> 09:11.550]  It's just the same as a single domain, but you can do more bulky jobs with this.
[09:11.550 --> 09:18.030]  The rest of the arguments are just for helping you guys with a script.
[09:18.070 --> 09:19.810]  You can create a service.
[09:19.810 --> 09:21.710]  It's very service-friendly.
[09:21.710 --> 09:23.570]  You can create a cron job with all this.
[09:23.950 --> 09:26.910]  So, you are entering into business.
[09:27.190 --> 09:33.370]  You want to check for one single domain.
[09:33.370 --> 09:35.230]  This is the response it's giving you.
[09:35.230 --> 09:36.410]  The domain is up.
[09:36.410 --> 09:42.990]  But if you are trying for one single that we already know is not existing, it's not available.
[09:43.250 --> 09:48.470]  But if you take a closer look at this, this is one of the domains that is up.
[09:48.650 --> 09:55.910]  And since you are, of course, a Microsoft company, you need to monitor all this response.
[09:56.270 --> 09:59.750]  But, of course, if you want the full list, you can create this.
[09:59.750 --> 10:12.010]  And you can have some kind of verbose output and record the output on a file with a format in CEF format.
[10:12.390 --> 10:22.070]  So, this is where the script starts checking in Microsoft.com infrastructure what kind of domains are up and running.
[10:22.070 --> 10:25.230]  In the meantime, we are going to show you part of the code.
[10:26.410 --> 10:31.410]  This is where we are starting to do some tests in Microsoft infrastructure.
[10:32.990 --> 10:39.930]  Single domain is creating all domain squaring possible domains.
[10:39.970 --> 10:49.550]  And all these have been passed to the test on Microsoft function for every one instance in the list.
[10:49.850 --> 10:54.630]  With all this, we are just having the rest of the job is done.
[10:56.110 --> 11:09.070]  Just for letting you know what kind of technique we are registering, we are having, for instance here, all domain squatting being registered for keyboard typos.
[11:09.070 --> 11:22.790]  We are having here for bit squatting, homoglyph, because you are comparing every single letter in the language with similar ones that are likely to be used for impersonating the companies.
[11:24.330 --> 11:30.670]  And after this, as you can see on the left, you have the output of the file.
[11:30.830 --> 11:42.630]  You can see that you are having a very beautiful output for a CEF format that either Syslog or something can interpret.
[11:42.630 --> 11:50.610]  You can pass this to your CM tools and you can start monitoring this kind of domains.
[11:52.030 --> 11:53.370]  And that's all for the tool.
[11:54.990 --> 12:01.870]  After this, we are working to upload this tool on GitHub.
[12:01.870 --> 12:07.110]  This is the link where you have available the source code.
[12:07.730 --> 12:10.370]  And this is not the end of this project.
[12:10.370 --> 12:14.630]  We are working for, have a lot of work the next month.
[12:14.630 --> 12:19.650]  We would like to have some kind of automation for the domain takeover.
[12:19.970 --> 12:32.490]  We also want to convert it in a container to be published in Docker Hub, because we know there's a lot of blue team fellows that would like to have this in their Kubernetes.
[12:32.490 --> 12:40.170]  We also want to expand the tech in other domains in Azure, because it's not over with only a monitor SharePoint.
[12:40.170 --> 12:44.990]  We believe that there is more things to do in the Microsoft infrastructure.
[12:46.030 --> 12:52.430]  And very important, we should expand this to other big company clouds, such as Amazon or Google.
[12:52.430 --> 13:03.410]  We are looking for partners that will help us and will have our tool to monitor this kind of impersonations.
[13:03.850 --> 13:11.710]  We also would like to hear your voice and know what kind of other output would be fine for this tool.
[13:12.070 --> 13:15.170]  And every idea is welcome.
[13:15.170 --> 13:18.850]  And also, why not check reputation and abuse public databases?
[13:18.850 --> 13:27.890]  Because we would like to help these public databases to create more information.
[13:27.890 --> 13:42.670]  When we detect one of our domain detected, it could be nice to be reported automatically if we check that something is wrong, something is trying to harm our company.
[13:42.670 --> 13:47.330]  Prior, because keep in mind that this is just anticipation.
[13:47.330 --> 13:48.870]  There is no attack yet.
[13:48.870 --> 13:55.630]  We are just covering the potential attackers in domain squad.
[13:56.370 --> 14:00.090]  And after this, I believe we are done.
[14:01.830 --> 14:05.210]  Any questions? Thank you for your time.
[14:05.670 --> 14:09.750]  We know it's for you guys Saturday morning.
[14:09.750 --> 14:14.530]  You have still a long way today in Blue Team Village.
[14:14.650 --> 14:18.250]  I hope you enjoy our talk and our tool.
[14:18.250 --> 14:22.970]  You can also access to the GitHub and start using it in your companies.
[14:22.970 --> 14:27.710]  If you want to talk to us, here you have our Twitter.
[14:27.710 --> 14:30.950]  You can also contact us in our GitHub.
[14:31.570 --> 14:35.350]  And we are welcome for any suggestions or help.
[14:35.350 --> 14:37.910]  So still, thank you guys.
[14:37.910 --> 14:38.750]  Thank you very much.
[14:38.750 --> 14:40.110]  And any questions?
[14:40.110 --> 14:41.590]  I don't have any questions, yeah.
[14:47.240 --> 14:50.180]  Yeah, we are seeing the link is not available.
[14:51.340 --> 14:55.520]  We are deploying the code after this talk.
[14:55.660 --> 15:00.120]  Because we did not want to, because, you know, this is a...
[15:00.120 --> 15:09.640]  We are in a cloud, so we would like to have this working up and running right before this talk.
[15:09.640 --> 15:11.960]  So now we are going to deploy this code.
[15:11.960 --> 15:17.460]  Yeah, on the next day you will have available on this GitHub the full code.
[15:17.460 --> 15:18.540]  So don't worry.
[15:18.540 --> 15:22.620]  It will be not later than Monday, okay?
[15:25.740 --> 15:29.860]  Is there any kind of throttling you ran into with the tool like with others?
[15:30.720 --> 15:31.960]  No, I believe not.
[15:31.960 --> 15:34.380]  We did not have any throttling.
[15:35.100 --> 15:37.800]  The thing is we were...
[15:39.280 --> 15:52.480]  The very first step was like we were attacking a lot Microsoft infrastructure because we were throwing a lot of requests, you know.
[15:52.680 --> 15:58.960]  So far, we've been only detecting without any issues.
[15:58.960 --> 16:04.860]  And every single domain is what we detected, and it was not fine for us.
[16:04.860 --> 16:06.920]  It had been reported to Microsoft.
[16:07.740 --> 16:12.080]  Yeah, this is answering the question if we have been contacting with Microsoft.
[16:12.080 --> 16:20.180]  We are contacting with Microsoft each time that we detect a fake report or a fake domain.
[16:20.180 --> 16:22.200]  We are reporting it to abuse.
[16:23.120 --> 16:30.820]  You know all these abuse websites that request thousands of data from the information.
[16:30.820 --> 16:36.060]  So we need something more agile in order to protect our infrastructure.
[16:36.060 --> 16:40.340]  So we always report this kind of active domains.
[16:40.340 --> 16:45.300]  But before the attack, we're importing it into our solution.
[16:45.300 --> 16:49.800]  But yes, we are contacting Microsoft reporting these domains.
[16:52.140 --> 17:04.160]  Yes, for Cyborg42 is asking, can the tool be used to generate a list of type of squatting domains in JSON XML format which can be imported into ELQ or Splunk?
[17:04.160 --> 17:06.510]  The answer is yes, you can.
[17:06.820 --> 17:14.420]  Well, and yes and no, because you can create a list of detected, generated and detected domains.
[17:14.420 --> 17:26.320]  But for the part that is a list of type of squatting domains not being detected, there are already several tools in the wild that you can use for your own purpose.
[17:26.320 --> 17:36.160]  But if you are looking for a JSON well-formatted file that includes all detected domains in the Microsoft infrastructure, yes.
[17:36.160 --> 17:40.360]  It's one of the outputs allowed by our tool.
[17:48.150 --> 17:48.970]  Yeah, we see.
[17:48.970 --> 17:52.290]  Yeah, thank you for the offer. You work in...
[17:52.290 --> 17:53.110]  In Azure.
[17:53.110 --> 18:01.230]  Yeah, if you need something smart, just let us know. You have our contact, so feel free to reach us, okay? Thanks.
[18:05.090 --> 18:06.430]  Any other questions, guys?
[18:14.420 --> 18:17.820]  I think that's all. We solved all the questions on each other, right?
[18:20.620 --> 18:21.500]  Yeah.
[18:21.540 --> 18:22.460]  All right.
[18:22.460 --> 18:31.060]  Thank you for your time, then, and continue with the plan on DEFCON Blue Team. It's a lot of information and a lot of good values there.
[18:31.060 --> 18:35.120]  So, thank you for this time and thank you for your good feedback about the talk.
